Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 58404BAC for ; Tue, 14 Jul 2015 13:13:50 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E08D51B3 for ; Tue, 14 Jul 2015 13:13:49 +0000 (UTC) Received: from mfilter38-d.gandi.net (mfilter38-d.gandi.net [217.70.178.169]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id 6E769A80AC for ; Tue, 14 Jul 2015 15:13:48 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter38-d.gandi.net Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter38-d.gandi.net (mfilter38-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id s7EvrTud2prr for ; Tue, 14 Jul 2015 15:13:46 +0200 (CEST) X-Originating-IP: 92.229.101.74 Received: from [192.168.1.3] (x5ce5654a.dyn.telefonica.de [92.229.101.74]) (Authenticated sender: thomasv@electrum.org) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 6F525A80B1 for ; Tue, 14 Jul 2015 15:13:46 +0200 (CEST) Message-ID: <55A50B09.4010005@electrum.org> Date: Tue, 14 Jul 2015 15:13:45 +0200 From: Thomas Voegtlin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: bitcoin-dev@lists.linuxfoundation.org References: <55A4AF62.4090607@electrum.org> <55A4F058.4020800@bitcoins.info> In-Reply-To: <55A4F058.4020800@bitcoins.info> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Proposal: extend bip70 with OpenAlias X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 13:13:50 -0000 Le 14/07/2015 13:19, Milly Bitcoin a =E9crit : >=20 >> If your email account is hacked and someone else gets a certificate in >> your name, you'd be unable to *know* about it, because they would use = a >> different CA. >=20 > Maybe I am confused but I thought you are using DNSSEC to sign the zone= s > so only the domain owner could issue certificates for a zone (or > corresponding email address). If you have "example.com" the domain > owner of the domain would sign zone "joe.example.com" which can > correspond to the "joe@example.com" email address. Under this scenario > you would only have one CA per domain. >=20 One CA per domain is indeed what I want to achieve. The paragraph you quoted was about the current situation with email certs, where that is not the case.